HR Privacy Policy

This privacy policy governs data collection and processing related to the HR processes of Passbolt SA ("we", "us" or "Passbolt").

This policy covers the information you share with us and/or which may be acquired or produced during the application or recruitment process. If you are offered and accept employment, the information collected during the application and recruitment process will become part of your employment record.

By applying for a job opening, you ("you", or the "User") agree to the terms of this Privacy Policy. This privacy explains what information we collect and why we collect it; how we use that information; and how to access and update that information.

Please note that your use of Passbolt website and services is governed by the general Privacy Policy and your service terms and conditions if any.


We define Personal Information (or "your information") in the following manner: Any information that you provide to us about yourself while using the service that could help someone else identify you as an individual entity. This may include information such as your name, phone number, location, IP address, system locale and preferences, picture, etc.

We define the following subdomain of the main website "" and "" as “Career Site”.

What personal information is collected

Here is a summary of the Personal Information we collect:

  • Your name, address, email address, telephone number and other contact information;
  • Any sensitive data obtained during the selection process such as gender, language proficiency, information about your nationality, immigration status, ID proofs and criminal records;
  • Your resume or CV, cover letter, previous work experience, education details, diplomas, or other information you provide to us in support of an application;
  • Details of the type of employment you are applying for, desired salary, willingness to relocate, or other job preferences and benefits;
  • Details of how you heard about the position you are applying for;
  • Information from interviews or assessments you may take as part for the screening or performance review process;
  • Contact information about your references. It is your responsibility to obtain consent from referees before providing their personal information to us.
  • Emergency contact information. It is your responsibility to obtain consent from your emergency contact before providing their personal information to us.

Why do we collect personal information

We collect and process your information where it is necessary in order to take steps, at your request, to potentially enter into a contract of employment with you. We also seek your consent to process your personal information in specific circumstances to comply with legal obligations.

How your personal information may be used

Your information may be used for the following purposes:

  • Communicating with you about the application or recruitment process;
  • Communicating with you about other career opportunities that we think may be suitable for you;
  • Assessing your skills and qualifications;
  • Verifying your information and carrying out reference checks and/or conducting background checks;
  • Creating and/or submitting reports as required under any local laws and/or regulations, where applicable;
  • Assisting you with obtaining a visa or immigration permit where required;
  • Complying with applicable laws, regulations, legal processes or enforceable governmental requests;

Who may have access to your information

We will never sell, rent or loan any personal information to any third party. The following parties may have access to your personal data under certain conditions.


Your information may be shared with our employees, contractors, affiliates, subsidiaries, in relation to the purposes described above.


Our company is registered in the Grand Duchy of Luxembourg. We are therefore subject to Luxembourg and Europe legislative texts on data protection and privacy.

We may also be required to disclose your information to external third parties such as to local labour authorities, courts and tribunals, regulatory bodies and/or law enforcement agencies for the purpose of complying with applicable laws and regulations, or in response to legal process.

Our organization relies on services (such as hosting) provided by companies registered in the USA. They are obliged to provide access to notices pursuant to judicial, regulatory or other governmental orders or requests valid in USA.

Service providers

We primarily use Bamboo HR to host our Career site. The site data is hosted in Europe in a data center located in Ireland. You can learn more about the security measures taken by Bamboo HR to protect your data on their website. You can also find the associated Data Protection Agreement.

We will also share your personal information with other third parties to detect, prevent or otherwise address fraud, security audits and compliance or technical issues.

How long we retain your information

We take appropriate steps to protect information about you that is collected, processed, and stored as part of the application and recruitment process.

You can also edit, delete and get access to personal information that we hold within 60 days of any request you make by contacting us: [email protected].

We are committed to delete personal information when the retention of data concerning you is no longer justified and we have no legitimate reason (e.g. legal obligations) that justifies the retention of your data. Please note, however, that we may retain some information if required by law or as necessary to protect ourselves from legal claims.

How do we protect your data

Due to the sensitive nature of the information we work hard to prevent unauthorized access to or unauthorized alteration, disclosure or destruction of information we hold. In particular:

  • We encrypt access to all of our services using SSL. We ensure encryption of communication not only between you and our servers but also internally between parts of our application.
  • We use strong authentication mechanisms, including for example second factor authentication and anti-phishing mechanisms.
  • We regularly review our information collection, storage and processing practices, to guard against unauthorized access to systems. We use intrusion detection systems to monitor our network.
  • We restrict access to personal information to employees, contractors and agents who need to know that information in order to process it for us, and who are subject to strict contractual confidentiality obligations.
  • We make sure all of our service providers implement industry standards and compliance instruments such as ISO27001, PCI-DSS, SOC 2.
  • We rely on standard contract clauses for data transfers as a means of ensuring adequate protection when transferring data outside of the EEA.

Changes to this Policy

We may change this policy from time to time. We will post any changes to this policy on this page. Each version of this policy is identified at the top of the page by its effective date.

Last updated: March 19th, 2021